We pursue the verification of security properties of infrastructure clouds. See talks at EU CSP'12 or ACM CCSW'11.

We consider two domains:

Topology of the infrastructure, that is, how VMs, hosts, networks and storages are inter-connected, and

Dynamics of re-configuration, that is, how administrators can change the topology and privileges with cloud operations.

We compare the actual state of the configuration with a desired state specified in formal language.

Approach: Actual State vs. Desired State

Actual state: Tools discover the actual configuration of the virtualized infrastructure and derive a graph/term representation.

Desired state: Security goals are specified in a high-level language, which defines attack states as patterns of facts with logical constraints.

We apply model checking to verify that the topology is free of security violations (static case) or that administrators cannot reach a state that violates the policy by their cloud operations (dynamic case).

We analyzed isolation security for a production infrastructure of a global financial institution.

Open PhD Position

Impact

The research prototype of our cloud security assurance analysis has been transferred to IBM as part of the IBM PowerSC Trusted Surveyor product in 2012. The research started during my time at IBM Research and continued in an industry collaboration at Newcastle.